1KDC.CONF(5)                      MIT Kerberos                      KDC.CONF(5)
2
3
4

NAME

6       kdc.conf - Kerberos V5 KDC configuration file
7
8       The kdc.conf file supplements krb5.conf(5) for programs which are typi‐
9       cally only used on a KDC, such as the krb5kdc(8) and kadmind(8) daemons
10       and  the  kdb5_util(8)  program.  Relations documented here may also be
11       specified in krb5.conf; for the KDC programs mentioned,  krb5.conf  and
12       kdc.conf will be merged into a single configuration profile.
13
14       Normally,  the  kdc.conf  file  is  found  in  the KDC state directory,
15       /var/kerberos/krb5kdc.  You can override the default location  by  set‐
16       ting the environment variable KRB5_KDC_PROFILE.
17
18       Please  note that you need to restart the KDC daemon for any configura‐
19       tion changes to take effect.
20

STRUCTURE

22       The kdc.conf file is set up in the  same  format  as  the  krb5.conf(5)
23       file.
24

SECTIONS

26       The kdc.conf file may contain the following sections:
27
28                    ┌──────────────┬────────────────────────────┐
29[kdcdefaults] │ Default   values  for  KDC │
30                    │              │ behavior                   │
31                    ├──────────────┼────────────────────────────┤
32[realms]      │ Realm-specific    database │
33                    │              │ configuration and settings │
34                    ├──────────────┼────────────────────────────┤
35[dbdefaults]  │ Default database settings  │
36                    ├──────────────┼────────────────────────────┤
37[dbmodules]   │ Per-database settings      │
38                    ├──────────────┼────────────────────────────┤
39[logging]     │ Controls how Kerberos dae‐ │
40                    │              │ mons perform logging       │
41                    └──────────────┴────────────────────────────┘
42
43   [kdcdefaults]
44       Some relations in the [kdcdefaults] section specify default values  for
45       realm variables, to be used if the [realms] subsection does not contain
46       a relation for the tag.  See the [realms] section for  the  definitions
47       of these relations.
48
49       · host_based_services
50
51       · kdc_listen
52
53       · kdc_ports
54
55       · kdc_tcp_listen
56
57       · kdc_tcp_ports
58
59       · no_host_referral
60
61       · restrict_anonymous_to_tgt
62
63       The following [kdcdefaults] variables have no per-realm equivalent:
64
65       kdc_max_dgram_reply_size
66              Specifies  the  maximum  packet  size that can be sent over UDP.
67              The default value is 4096 bytes.
68
69       kdc_tcp_listen_backlog
70              (Integer.)  Set the size of the listen queue length for the  KDC
71              daemon.   The  value may be limited by OS settings.  The default
72              value is 5.
73
74       spake_preauth_kdc_challenge
75              (String.)  Specifies the group for a SPAKE optimistic challenge.
76              See  the spake_preauth_groups variable in libdefaults for possi‐
77              ble values.  The default is not to  issue  an  optimistic  chal‐
78              lenge.  (New in release 1.17.)
79
80   [realms]
81       Each  tag in the [realms] section is the name of a Kerberos realm.  The
82       value of the tag is a subsection where the relations define KDC parame‐
83       ters  for  that  particular  realm.  The following example shows how to
84       define one parameter for the ATHENA.MIT.EDU realm:
85
86          [realms]
87              ATHENA.MIT.EDU = {
88                  max_renewable_life = 7d 0h 0m 0s
89              }
90
91       The following tags may be specified in a [realms] subsection:
92
93       acl_file
94              (String.)  Location of the access control list  file  that  kad‐
95              mind(8)  uses  to  determine  which principals are allowed which
96              permissions on the Kerberos database.  To operate without an ACL
97              file,  set this relation to the empty string with acl_file = "".
98              The default value is /var/kerberos/krb5kdc/kadm5.acl.  For  more
99              information on Kerberos ACL file see kadm5.acl(5).
100
101       database_module
102              (String.)  This relation indicates the name of the configuration
103              section under [dbmodules] for database-specific parameters  used
104              by  the  loadable  database  library.   The default value is the
105              realm name.  If  this  configuration  section  does  not  exist,
106              default values will be used for all database parameters.
107
108       database_name
109              (String,  deprecated.)   This relation specifies the location of
110              the Kerberos database for this realm, if the DB2 module is being
111              used  and the [dbmodules] configuration section does not specify
112              a   database   name.    The   default   value    is    /var/ker‐
113              beros/krb5kdc/principal.
114
115       default_principal_expiration
116              (abstime  string.)   Specifies  the  default  expiration date of
117              principals created in this realm.  The default value is 0, which
118              means no expiration date.
119
120       default_principal_flags
121              (Flag  string.)   Specifies the default attributes of principals
122              created in  this  realm.   The  format  for  this  string  is  a
123              comma-separated  list  of  flags, with '+' before each flag that
124              should be enabled and '-' before each flag that should  be  dis‐
125              abled.   The  postdateable,  forwardable,  tgt-based, renewable,
126              proxiable, dup-skey, allow-tickets, and service flags default to
127              enabled.
128
129              There are a number of possible flags:
130
131              allow-tickets
132                     Enabling  this flag means that the KDC will issue tickets
133                     for this  principal.   Disabling  this  flag  essentially
134                     deactivates the principal within this realm.
135
136              dup-skey
137                     Enabling  this  flag allows the KDC to issue user-to-user
138                     service tickets for this principal.
139
140              forwardable
141                     Enabling this flag allows the principal  to  obtain  for‐
142                     wardable tickets.
143
144              hwauth If  this  flag is enabled, then the principal is required
145                     to preauthenticate using a hardware device before receiv‐
146                     ing any tickets.
147
148              no-auth-data-required
149                     Enabling  this  flag  prevents  PAC or AD-SIGNEDPATH data
150                     from being added to service tickets for the principal.
151
152              ok-as-delegate
153                     If this flag is enabled, it hints the client that creden‐
154                     tials  can and should be delegated when authenticating to
155                     the service.
156
157              ok-to-auth-as-delegate
158                     Enabling this flag allows the principal  to  use  S4USelf
159                     tickets.
160
161              postdateable
162                     Enabling  this  flag allows the principal to obtain post‐
163                     dateable tickets.
164
165              preauth
166                     If this flag is enabled on a client principal, then  that
167                     principal  is  required  to  preauthenticate  to  the KDC
168                     before receiving any tickets.  On  a  service  principal,
169                     enabling  this  flag  means that service tickets for this
170                     principal will only be issued to clients with a TGT  that
171                     has the preauthenticated bit set.
172
173              proxiable
174                     Enabling  this  flag allows the principal to obtain proxy
175                     tickets.
176
177              pwchange
178                     Enabling this flag forces  a  password  change  for  this
179                     principal.
180
181              pwservice
182                     If  this  flag  is  enabled, it marks this principal as a
183                     password change service.  This should  only  be  used  in
184                     special  cases,  for  example,  if  a user's password has
185                     expired, then the user has to get tickets for that  prin‐
186                     cipal without going through the normal password authenti‐
187                     cation in order to be able to change the password.
188
189              renewable
190                     Enabling this flag allows the principal to obtain  renew‐
191                     able tickets.
192
193              service
194                     Enabling  this  flag  allows the the KDC to issue service
195                     tickets for this principal.  In release 1.17  and  later,
196                     user-to-user  service  tickets  are  still allowed if the
197                     dup-skey flag is set.
198
199              tgt-based
200                     Enabling this flag allows a principal to  obtain  tickets
201                     based  on a ticket-granting-ticket, rather than repeating
202                     the authentication process that was used  to  obtain  the
203                     TGT.
204
205       dict_file
206              (String.)   Location  of  the dictionary file containing strings
207              that are not allowed as passwords.  The file should contain  one
208              string  per  line,  with  no  additional whitespace.  If none is
209              specified or if there is no policy assigned to the principal, no
210              dictionary checks of passwords will be performed.
211
212       encrypted_challenge_indicator
213              (String.)  Specifies the authentication indicator value that the
214              KDC asserts into tickets obtained using FAST encrypted challenge
215              pre-authentication.  New in 1.16.
216
217       host_based_services
218              (Whitespace-  or  comma-separated  list.)   Lists services which
219              will get host-based referral processing even if the server prin‐
220              cipal is not marked as host-based by the client.
221
222       iprop_enable
223              (Boolean  value.)  Specifies whether incremental database propa‐
224              gation is enabled.  The default value is false.
225
226       iprop_master_ulogsize
227              (Integer.)  Specifies the maximum number of log  entries  to  be
228              retained  for  incremental  propagation.   The  default value is
229              1000.  Prior to release 1.11, the maximum value was 2500.
230
231       iprop_replica_poll
232              (Delta time string.)  Specifies how often the replica KDC  polls
233              for  new updates from the master.  The default value is 2m (that
234              is, two minutes).  New in release 1.17.
235
236       iprop_slave_poll
237              (Delta time string.)  The name for iprop_replica_poll  prior  to
238              release   1.17.    Its   value   is   used   as  a  fallback  if
239              iprop_replica_poll is not specified.
240
241       iprop_listen
242              (Whitespace- or comma-separated list.)  Specifies the iprop  RPC
243              listening  addresses  and/or  ports  for  the kadmind(8) daemon.
244              Each entry may be an interface address, a  port  number,  or  an
245              address  and  port  number separated by a colon.  If the address
246              contains colons, enclose it in square brackets.  If  no  address
247              is specified, the wildcard address is used.  If kadmind fails to
248              bind to any of the specified addresses, it will fail  to  start.
249              The  default (when iprop_enable is true) is to bind to the wild‐
250              card address at  the  port  specified  in  iprop_port.   New  in
251              release 1.15.
252
253       iprop_port
254              (Port  number.)  Specifies the port number to be used for incre‐
255              mental propagation.  When iprop_enable is true, this relation is
256              required  in  the replica KDC configuration file, and this rela‐
257              tion or iprop_listen is required  in  the  master  configuration
258              file,  as  there is no default port number.  Port numbers speci‐
259              fied in iprop_listen entries will override this port number  for
260              the kadmind(8) daemon.
261
262       iprop_resync_timeout
263              (Delta time string.)  Specifies the amount of time to wait for a
264              full propagation to complete.  This is optional in configuration
265              files, and is used by replica KDCs only.  The default value is 5
266              minutes (5m).  New in release 1.11.
267
268       iprop_logfile
269              (File name.)  Specifies where the update log file for the  realm
270              database  is  to  be  stored.   The  default is to use the data‐
271              base_name entry from the realms section of the krb5 config file,
272              with .ulog appended.  (NOTE: If database_name isn't specified in
273              the realms section, perhaps because the LDAP database  back  end
274              is  being used, or the file name is specified in the [dbmodules]
275              section, then the hard-coded default for database_name is  used.
276              Determination  of  the  iprop_logfile default value will not use
277              values from the [dbmodules] section.)
278
279       kadmind_listen
280              (Whitespace- or comma-separated list.)  Specifies the kadmin RPC
281              listening  addresses  and/or  ports  for  the kadmind(8) daemon.
282              Each entry may be an interface address, a  port  number,  or  an
283              address  and  port  number separated by a colon.  If the address
284              contains colons, enclose it in square brackets.  If  no  address
285              is specified, the wildcard address is used.  If kadmind fails to
286              bind to any of the specified addresses, it will fail  to  start.
287              The default is to bind to the wildcard address at the port spec‐
288              ified in kadmind_port, or the standard kadmin port  (749).   New
289              in release 1.15.
290
291       kadmind_port
292              (Port  number.)  Specifies the port on which the kadmind(8) dae‐
293              mon is to listen for this realm.  Port numbers specified in kad‐
294              mind_listen   entries  will  override  this  port  number.   The
295              assigned port for kadmind is 749, which is used by default.
296
297       key_stash_file
298              (String.)  Specifies the location where the master key has  been
299              stored   (via   kdb5_util  stash).   The  default  is  /var/ker‐
300              beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
301
302       kdc_listen
303              (Whitespace- or comma-separated list.)  Specifies the  UDP  lis‐
304              tening  addresses  and/or ports for the krb5kdc(8) daemon.  Each
305              entry may be an interface address, a port number, or an  address
306              and  port  number separated by a colon.  If the address contains
307              colons, enclose it in square brackets.  If no address is  speci‐
308              fied,  the  wildcard  address is used.  If no port is specified,
309              the standard port (88) is used.  If the KDC daemon fails to bind
310              to  any  of the specified addresses, it will fail to start.  The
311              default is to bind to the wildcard address on the standard port.
312              New in release 1.15.
313
314       kdc_ports
315              (Whitespace-  or  comma-separated  list,  deprecated.)  Prior to
316              release 1.15, this relation lists the ports for  the  krb5kdc(8)
317              daemon  to  listen  on  for  UDP  requests.  In release 1.15 and
318              later, it has the same meaning as kdc_listen if that relation is
319              not defined.
320
321       kdc_tcp_listen
322              (Whitespace-  or  comma-separated list.)  Specifies the TCP lis‐
323              tening addresses and/or ports for the krb5kdc(8)  daemon.   Each
324              entry  may be an interface address, a port number, or an address
325              and port number separated by a colon.  If the  address  contains
326              colons,  enclose it in square brackets.  If no address is speci‐
327              fied, the wildcard address is used.  If no  port  is  specified,
328              the  standard  port  (88) is used.  To disable listening on TCP,
329              set this relation to the empty string with kdc_tcp_listen =  "".
330              If  the  KDC  daemon  fails  to  bind  to  any  of the specified
331              addresses, it will fail to start.  The default is to bind to the
332              wildcard address on the standard port.  New in release 1.15.
333
334       kdc_tcp_ports
335              (Whitespace-  or  comma-separated  list,  deprecated.)  Prior to
336              release 1.15, this relation lists the ports for  the  krb5kdc(8)
337              daemon  to  listen  on  for  UDP  requests.  In release 1.15 and
338              later, it has the same meaning as kdc_tcp_listen if  that  rela‐
339              tion is not defined.
340
341       kpasswd_listen
342              (Comma-separated   list.)    Specifies   the  kpasswd  listening
343              addresses and/or ports for the kadmind(8)  daemon.   Each  entry
344              may  be  an  interface address, a port number, or an address and
345              port number separated by  a  colon.   If  the  address  contains
346              colons,  enclose it in square brackets.  If no address is speci‐
347              fied, the wildcard address is used.  If kadmind fails to bind to
348              any  of  the  specified  addresses,  it will fail to start.  The
349              default is to bind to the wildcard address at the port specified
350              in  kpasswd_port,  or  the  standard kpasswd port (464).  New in
351              release 1.15.
352
353       kpasswd_port
354              (Port number.)  Specifies the port on which the kadmind(8)  dae‐
355              mon  is  to  listen for password change requests for this realm.
356              Port numbers specified in kpasswd_listen entries  will  override
357              this  port  number.   The  assigned  port  for  password  change
358              requests is 464, which is used by default.
359
360       master_key_name
361              (String.)  Specifies the name of the principal  associated  with
362              the master key.  The default is K/M.
363
364       master_key_type
365              (Key  type  string.)   Specifies the master key's key type.  The
366              default value for this is aes256-cts-hmac-sha1-96.  For  a  list
367              of all possible values, see Encryption types.
368
369       max_life
370              (duration  string.)  Specifies the maximum time period for which
371              a ticket may be valid in this realm.  The default  value  is  24
372              hours.
373
374       max_renewable_life
375              (duration  string.)   Specifies  the  maximum time period during
376              which a valid ticket may be renewed in this realm.  The  default
377              value is 0.
378
379       no_host_referral
380              (Whitespace-  or comma-separated list.)  Lists services to block
381              from getting host-based referral processing, even if the  client
382              marks  the server principal as host-based or the service is also
383              listed in host_based_services.  no_host_referral = *  will  dis‐
384              able referral processing altogether.
385
386       des_crc_session_supported
387              (Boolean  value).  If set to true, the KDC will assume that ser‐
388              vice principals support  des-cbc-crc  for  session  key  enctype
389              negotiation  purposes.   If  allow_weak_crypto in libdefaults is
390              false, or if des-cbc-crc is not a permitted enctype,  then  this
391              variable has no effect.  Defaults to true.  New in release 1.11.
392
393       reject_bad_transit
394              (Boolean value.)  If set to true, the KDC will check the list of
395              transited realms for cross-realm  tickets  against  the  transit
396              path  computed  from  the realm names and the capaths section of
397              its krb5.conf(5) file; if the path in the ticket  to  be  issued
398              contains  any  realms  not in the computed path, the ticket will
399              not be issued, and an error  will  be  returned  to  the  client
400              instead.   If  this  value is set to false, such tickets will be
401              issued anyways, and it will be left up to the application server
402              to validate the realm transit path.
403
404              If  the  disable-transited-check  flag  is  set  in the incoming
405              request, this  check  is  not  performed  at  all.   Having  the
406              reject_bad_transit  option will cause such ticket requests to be
407              rejected always.
408
409              This transit path checking  and  config  file  option  currently
410              apply only to TGS requests.
411
412              The default value is true.
413
414       restrict_anonymous_to_tgt
415              (Boolean  value.)   If  set  to true, the KDC will reject ticket
416              requests from anonymous principals to service  principals  other
417              than  the  realm's  ticket-granting service.  This option allows
418              anonymous PKINIT to be enabled for use  as  FAST  armor  tickets
419              without  allowing  anonymous  authentication  to  services.  The
420              default value is false.  New in release 1.9.
421
422       spake_preauth_indicator
423              (String.)  Specifies an authentication indicator value that  the
424              KDC  asserts  into  tickets obtained using SPAKE pre-authentica‐
425              tion.  The default is not to add any  indicators.   This  option
426              may be specified multiple times.  New in release 1.17.
427
428       supported_enctypes
429              (List of key:salt strings.)  Specifies the default key/salt com‐
430              binations of principals for this realm.  Any principals  created
431              through  kadmin(1)  will  have keys of these types.  The default
432              value   for   this   tag    is    aes256-cts-hmac-sha1-96:normal
433              aes128-cts-hmac-sha1-96:normal     des3-cbc-sha1:normal     arc‐
434              four-hmac-md5:normal.  For lists of possible values, see Keysalt
435              lists.
436
437   [dbdefaults]
438       The  [dbdefaults]  section  specifies  default values for some database
439       parameters, to be used if the [dbmodules] subsection does not contain a
440       relation  for the tag.  See the [dbmodules] section for the definitions
441       of these relations.
442
443       · ldap_kerberos_container_dn
444
445       · ldap_kdc_dn
446
447       · ldap_kdc_sasl_authcid
448
449       · ldap_kdc_sasl_authzid
450
451       · ldap_kdc_sasl_mech
452
453       · ldap_kdc_sasl_realm
454
455       · ldap_kadmind_dn
456
457       · ldap_kadmind_sasl_authcid
458
459       · ldap_kadmind_sasl_authzid
460
461       · ldap_kadmind_sasl_mech
462
463       · ldap_kadmind_sasl_realm
464
465       · ldap_service_password_file
466
467       · ldap_servers
468
469       · ldap_conns_per_server
470
471   [dbmodules]
472       The [dbmodules] section contains parameters used by  the  KDC  database
473       library  and  database modules.  Each tag in the [dbmodules] section is
474       the name of a Kerberos realm or a section name specified by  a  realm's
475       database_module  parameter.   The following example shows how to define
476       one database parameter for the ATHENA.MIT.EDU realm:
477
478          [dbmodules]
479              ATHENA.MIT.EDU = {
480                  disable_last_success = true
481              }
482
483       The following tags may be specified in a [dbmodules] subsection:
484
485       database_name
486              This DB2-specific tag indicates the location of the database  in
487              the filesystem.  The default is /var/kerberos/krb5kdc/principal.
488
489       db_library
490              This  tag  indicates  the  name of the loadable database module.
491              The value should be db2 for the DB2 module, klmdb for  the  LMDB
492              module, or kldap for the LDAP module.
493
494       disable_last_success
495              If  set  to true, suppresses KDC updates to the "Last successful
496              authentication" field of principal entries requiring  preauthen‐
497              tication.   Setting this flag may improve performance.  (Princi‐
498              pal entries which do not require preauthentication never  update
499              the  "Last successful authentication" field.).  First introduced
500              in release 1.9.
501
502       disable_lockout
503              If set to true, suppresses  KDC  updates  to  the  "Last  failed
504              authentication" and "Failed password attempts" fields of princi‐
505              pal entries requiring preauthentication.  Setting this flag  may
506              improve  performance,  but also disables account lockout.  First
507              introduced in release 1.9.
508
509       ldap_conns_per_server
510              This LDAP-specific tag indicates the number of connections to be
511              maintained per LDAP server.
512
513       ldap_kdc_dn and ldap_kadmind_dn
514              These  LDAP-specific tags indicate the default DN for binding to
515              the LDAP server.  The krb5kdc(8) daemon uses ldap_kdc_dn,  while
516              the  kadmind(8)  daemon  and  other  administrative programs use
517              ldap_kadmind_dn.  The kadmind DN must have the  rights  to  read
518              and  write  the  Kerberos data in the LDAP database.  The KDC DN
519              must have the  same  rights,  unless  disable_lockout  and  dis‐
520              able_last_success  are true, in which case it only needs to have
521              rights to read the Kerberos data.  These tags are ignored  if  a
522              SASL  mechanism  is  set  with  ldap_kdc_sasl_mech  or ldap_kad‐
523              mind_sasl_mech.
524
525       ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
526              These LDAP-specific tags specify the  SASL  mechanism  (such  as
527              EXTERNAL)  to  use  when  binding  to  the  LDAP server.  New in
528              release 1.13.
529
530       ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
531              These LDAP-specific tags specify the SASL  authentication  iden‐
532              tity to use when binding to the LDAP server.  Not all SASL mech‐
533              anisms require an authentication identity.  If the  SASL  mecha‐
534              nism  requires  a  secret (such as the password for DIGEST-MD5),
535              these tags also determine the name within the ldap_service_pass‐
536              word_file where the secret is stashed.  New in release 1.13.
537
538       ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
539              These LDAP-specific tags specify the SASL authorization identity
540              to use when binding to the LDAP server.  In  most  circumstances
541              they do not need to be specified.  New in release 1.13.
542
543       ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
544              These  LDAP-specific  tags  specify  the  SASL realm to use when
545              binding to the LDAP server.  In most circumstances they  do  not
546              need to be set.  New in release 1.13.
547
548       ldap_kerberos_container_dn
549              This  LDAP-specific tag indicates the DN of the container object
550              where the realm objects will be located.
551
552       ldap_servers
553              This LDAP-specific tag indicates the list of LDAP  servers  that
554              the  Kerberos  servers can connect to.  The list of LDAP servers
555              is whitespace-separated.  The LDAP server is specified by a LDAP
556              URI.   It is recommended to use ldapi: or ldaps: URLs to connect
557              to the LDAP server.
558
559       ldap_service_password_file
560              This LDAP-specific tag indicates the file containing the stashed
561              passwords   (created   by  kdb5_ldap_util  stashsrvpw)  for  the
562              ldap_kdc_dn   and   ldap_kadmind_dn   objects,   or   for    the
563              ldap_kdc_sasl_authcid  or  ldap_kadmind_sasl_authcid  names  for
564              SASL authentication.  This file must be kept secure.
565
566       mapsize
567              This LMDB-specific tag indicates the maximum  size  of  the  two
568              database  environments  in megabytes.  The default value is 128.
569              Increase  this  value  to  address  "Environment  mapsize  limit
570              reached" errors.  New in release 1.17.
571
572       max_readers
573              This  LMDB-specific  tag indicates the maximum number of concur‐
574              rent reading processes for the databases.  The default value  is
575              128.  New in release 1.17.
576
577       nosync This  LMDB-specific  tag can be set to improve the throughput of
578              kadmind and other administrative agents, at the expense of dura‐
579              bility  (recent  database changes may not survive a power outage
580              or other sudden reboot).  It does not affect the  throughput  of
581              the KDC.  The default value is false.  New in release 1.17.
582
583       unlockiter
584              If  set  to  true, this DB2-specific tag causes iteration opera‐
585              tions to release the database lock while processing each princi‐
586              pal.  Setting this flag to true can prevent extended blocking of
587              KDC or kadmin operations when dumps of large  databases  are  in
588              progress.  First introduced in release 1.13.
589
590       The  following tag may be specified directly in the [dbmodules] section
591       to control where database modules are loaded from:
592
593       db_module_dir
594              This tag controls where the plugin  system  looks  for  database
595              modules.  The value should be an absolute path.
596
597   [logging]
598       The  [logging]  section indicates how krb5kdc(8) and kadmind(8) perform
599       logging.  It may contain the following relations:
600
601       admin_server
602              Specifies how kadmind(8) performs logging.
603
604       kdc    Specifies how krb5kdc(8) performs logging.
605
606       default
607              Specifies how either daemon performs logging in the  absence  of
608              relations specific to the daemon.
609
610       debug  (Boolean  value.)   Specifies  whether  debugging  messages  are
611              included in log outputs other than SYSLOG.   Debugging  messages
612              are always included in the system log output because syslog per‐
613              forms its own priority filtering.  The default value  is  false.
614              New in release 1.15.
615
616       Logging specifications may have the following forms:
617
618       FILE=filename or FILE:filename
619              This  value  causes  the  daemon's logging messages to go to the
620              filename.  If the = form is used, the file is  overwritten.   If
621              the : form is used, the file is appended to.
622
623       STDERR This  value  causes  the  daemon's logging messages to go to its
624              standard error stream.
625
626       CONSOLE
627              This value causes the daemon's logging messages  to  go  to  the
628              console, if the system supports it.
629
630       DEVICE=<devicename>
631              This causes the daemon's logging messages to go to the specified
632              device.
633
634       SYSLOG[:severity[:facility]]
635              This causes the daemon's logging messages to go  to  the  system
636              log.
637
638              For  backward  compatibility,  a severity argument may be speci‐
639              fied, and must be specified in  order  to  specify  a  facility.
640              This argument will be ignored.
641
642              The  facility  argument  specifies  the facility under which the
643              messages are logged.  This may be any of the  following  facili‐
644              ties  supported  by  the  syslog(3)  call minus the LOG_ prefix:
645              KERN, USER, MAIL, DAEMON,  AUTH,  LPR,  NEWS,  UUCP,  CRON,  and
646              LOCAL0 through LOCAL7.  If no facility is specified, the default
647              is AUTH.
648
649       In the following example, the logging messages from the KDC will go  to
650       the  console  and  to the system log under the facility LOG_DAEMON with
651       default severity of LOG_INFO; and the logging messages from the  admin‐
652       istrative  server  will be appended to the file /var/adm/kadmin.log and
653       sent to the device /dev/tty04.
654
655          [logging]
656              kdc = CONSOLE
657              kdc = SYSLOG:INFO:DAEMON
658              admin_server = FILE:/var/adm/kadmin.log
659              admin_server = DEVICE=/dev/tty04
660
661   [otp]
662       Each subsection of [otp] is the name of an OTP token  type.   The  tags
663       within  the  subsection  define the configuration required to forward a
664       One Time Password request to a RADIUS server.
665
666       For each token type, the following tags may be specified:
667
668       server This is the server to send the RADIUS request to.  It can  be  a
669              hostname  with  optional port, an ip address with optional port,
670              or a Unix domain  socket  address.   The  default  is  /var/ker‐
671              beros/krb5kdc/<name>.socket.
672
673       secret This  tag  indicates  a  filename  (which  may  be  relative  to
674              /var/kerberos/krb5kdc) containing the secret used to encrypt the
675              RADIUS  packets.   The secret should appear in the first line of
676              the file by itself; leading and trailing whitespace on the  line
677              will be removed.  If the value of server is a Unix domain socket
678              address, this tag is optional, and an empty secret will be  used
679              if it is not specified.  Otherwise, this tag is required.
680
681       timeout
682              An  integer which specifies the time in seconds during which the
683              KDC should attempt to contact the RADIUS server.   This  tag  is
684              the  total  time  across all retries and should be less than the
685              time which an OTP value remains valid for.   The  default  is  5
686              seconds.
687
688       retries
689              This  tag  specifies the number of retries to make to the RADIUS
690              server.  The default is 3 retries (4 tries).
691
692       strip_realm
693              If this tag is true, the principal without  the  realm  will  be
694              passed  to  the  RADIUS  server.   Otherwise,  the realm will be
695              included.  The default value is true.
696
697       indicator
698              This tag specifies an authentication indicator to be included in
699              the  ticket  if  this  token type is used to authenticate.  This
700              option may be specified multiple times.  (New in release 1.14.)
701
702       In the following example, requests are sent to a remote server via UDP:
703
704          [otp]
705              MyRemoteTokenType = {
706                  server = radius.mydomain.com:1812
707                  secret = SEmfiajf42$
708                  timeout = 15
709                  retries = 5
710                  strip_realm = true
711              }
712
713       An implicit default token type named DEFAULT is defined  for  when  the
714       per-principal configuration does not specify a token type.  Its config‐
715       uration is shown below.  You may override this token type to  something
716       applicable for your situation:
717
718          [otp]
719              DEFAULT = {
720                  strip_realm = false
721              }
722

PKINIT OPTIONS

724       NOTE:
725          The  following  are  pkinit-specific  options.   These values may be
726          specified  in  [kdcdefaults]  as  global  defaults,  or   within   a
727          realm-specific  subsection of [realms].  Also note that a realm-spe‐
728          cific value over-rides, does not add  to,  a  generic  [kdcdefaults]
729          specification.  The search order is:
730
731       1. realm-specific subsection of [realms]:
732
733             [realms]
734                 EXAMPLE.COM = {
735                     pkinit_anchors = FILE:/usr/local/example.com.crt
736                 }
737
738       2. generic value in the [kdcdefaults] section:
739
740             [kdcdefaults]
741                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
742
743       For information about the syntax of some of these options, see Specify‐
744       ing PKINIT identity information in krb5.conf(5).
745
746       pkinit_anchors
747              Specifies the location of  trusted  anchor  (root)  certificates
748              which  the  KDC trusts to sign client certificates.  This option
749              is required if pkinit is to  be  supported  by  the  KDC.   This
750              option may be specified multiple times.
751
752       pkinit_dh_min_bits
753              Specifies  the  minimum  number  of  bits  the KDC is willing to
754              accept for a client's Diffie-Hellman key.  The default is 2048.
755
756       pkinit_allow_upn
757              Specifies that the KDC is willing to accept client  certificates
758              with  the  Microsoft UserPrincipalName (UPN) Subject Alternative
759              Name (SAN).  This means the KDC accepts the binding of  the  UPN
760              in  the certificate to the Kerberos principal name.  The default
761              value is false.
762
763              Without this option, the KDC will only accept certificates  with
764              the id-pkinit-san as defined in RFC 4556.  There is currently no
765              option to disable SAN checking in the KDC.
766
767       pkinit_eku_checking
768              This option specifies what Extended Key Usage (EKU)  values  the
769              KDC  is  willing  to  accept in client certificates.  The values
770              recognized in the kdc.conf file are:
771
772              kpClientAuth
773                     This is the default value and specifies that client  cer‐
774                     tificates  must  have  the  id-pkinit-KPClientAuth EKU as
775                     defined in RFC 4556.
776
777              scLogin
778                     If scLogin is specified, client certificates with the Mi‐
779                     crosoft  Smart Card Login EKU (id-ms-kp-sc-logon) will be
780                     accepted.
781
782              none   If none is specified, then client certificates  will  not
783                     be  checked  to  verify they have an acceptable EKU.  The
784                     use of this option is not recommended.
785
786       pkinit_identity
787              Specifies the location of the KDC's X.509 identity  information.
788              This option is required if pkinit is to be supported by the KDC.
789
790       pkinit_indicator
791              Specifies  an  authentication indicator to include in the ticket
792              if pkinit is used to authenticate.  This option may be specified
793              multiple times.  (New in release 1.14.)
794
795       pkinit_pool
796              Specifies the location of intermediate certificates which may be
797              used by the KDC to complete the trust chain between  a  client's
798              certificate  and a trusted anchor.  This option may be specified
799              multiple times.
800
801       pkinit_revoke
802              Specifies the location  of  Certificate  Revocation  List  (CRL)
803              information to be used by the KDC when verifying the validity of
804              client certificates.  This  option  may  be  specified  multiple
805              times.
806
807       pkinit_require_crl_checking
808              The  default  certificate verification process will always check
809              the available revocation information to see if a certificate has
810              been revoked.  If a match is found for the certificate in a CRL,
811              verification fails.  If the certificate being  verified  is  not
812              listed  in a CRL, or there is no CRL present for its issuing CA,
813              and pkinit_require_crl_checking is false, then verification suc‐
814              ceeds.
815
816              However,  if pkinit_require_crl_checking is true and there is no
817              CRL information available for the issuing CA, then  verification
818              fails.
819
820              pkinit_require_crl_checking  should be set to true if the policy
821              is such that up-to-date CRLs must be present for every CA.
822
823       pkinit_require_freshness
824              Specifies whether to require  clients  to  include  a  freshness
825              token  in PKINIT requests.  The default value is false.  (New in
826              release 1.17.)
827

ENCRYPTION TYPES

829       Any tag in the configuration files which requires a list of  encryption
830       types can be set to some combination of the following strings.  Encryp‐
831       tion types marked as "weak" are available  for  compatibility  but  not
832       recommended for use.
833
834             ┌───────────────────────────┬─────────────────────────────┐
835             │des-cbc-crc                │ DES  cbc  mode with CRC-32  │
836             │                           │ (weak)                      │
837             ├───────────────────────────┼─────────────────────────────┤
838             │des-cbc-md4                │ DES cbc mode with  RSA-MD4  │
839             │                           │ (weak)                      │
840             ├───────────────────────────┼─────────────────────────────┤
841             │des-cbc-md5                │ DES  cbc mode with RSA-MD5  │
842             │                           │ (weak)                      │
843             ├───────────────────────────┼─────────────────────────────┤
844             │des-cbc-raw                │ DES cbc mode raw (weak)     │
845             ├───────────────────────────┼─────────────────────────────┤
846             │des3-cbc-raw               │ Triple DES  cbc  mode  raw  │
847             │                           │ (weak)                      │
848             ├───────────────────────────┼─────────────────────────────┤
849             │des3-cbc-sha1              │ Triple  DES  cbc mode with  │
850             │des3-hmac-sha1             │ HMAC/sha1                   │
851             │des3-cbc-sha1-kd           │                             │
852             ├───────────────────────────┼─────────────────────────────┤
853             │des-hmac-sha1              │ DES with HMAC/sha1 (weak)   │
854             ├───────────────────────────┼─────────────────────────────┤
855             │aes256-cts-hmac-sha1-96    │ AES-256   CTS   mode  with  │
856             │aes256-cts aes256-sha1     │ 96-bit SHA-1 HMAC           │
857             ├───────────────────────────┼─────────────────────────────┤
858             │aes128-cts-hmac-sha1-96    │ AES-128   CTS   mode  with  │
859             │aes128-cts aes128-sha1     │ 96-bit SHA-1 HMAC           │
860             ├───────────────────────────┼─────────────────────────────┤
861             │aes256-cts-hmac-sha384-192 │ AES-256   CTS   mode  with  │
862             │aes256-sha2                │ 192-bit SHA-384 HMAC        │
863             ├───────────────────────────┼─────────────────────────────┤
864             │aes128-cts-hmac-sha256-128 │ AES-128   CTS   mode  with  │
865             │aes128-sha2                │ 128-bit SHA-256 HMAC        │
866             ├───────────────────────────┼─────────────────────────────┤
867             │arcfour-hmac rc4-hmac arc‐ │ RC4 with HMAC/MD5           │
868             │four-hmac-md5              │                             │
869             ├───────────────────────────┼─────────────────────────────┤
870             │arcfour-hmac-exp           │ Exportable     RC4    with  │
871             │rc4-hmac-exp          arc‐ │ HMAC/MD5 (weak)             │
872             │four-hmac-md5-exp          │                             │
873             ├───────────────────────────┼─────────────────────────────┤
874             │camellia256-cts-cmac       │ Camellia-256 CTS mode with  │
875             │camellia256-cts            │ CMAC                        │
876             ├───────────────────────────┼─────────────────────────────┤
877             │camellia128-cts-cmac       │ Camellia-128 CTS mode with  │
878             │camellia128-cts            │ CMAC                        │
879             ├───────────────────────────┼─────────────────────────────┤
880             │des                        │ The      DES       family:  │
881             │                           │ des-cbc-crc,  des-cbc-md5,  │
882             │                           │ and des-cbc-md4 (weak)      │
883             ├───────────────────────────┼─────────────────────────────┤
884             │des3                       │ The  triple  DES   family:  │
885             │                           │ des3-cbc-sha1               │
886             ├───────────────────────────┼─────────────────────────────┤
887             │aes                        │ The       AES      family:  │
888             │                           │ aes256-cts-hmac-sha1-96,    │
889             │                           │ aes128-cts-hmac-sha1-96,    │
890             │                           │ aes256-cts-hmac-sha384-192, │
891             │                           │ and                         │
892             │                           │ aes128-cts-hmac-sha256-128  │
893             └───────────────────────────┴─────────────────────────────┘
894
895
896
897             │rc4                        │ The   RC4   family:    arc‐ │
898             │                           │ four-hmac                   │
899             ├───────────────────────────┼─────────────────────────────┤
900             │camellia                   │ The Camellia family: camel‐ │
901             │                           │ lia256-cts-cmac and  camel‐ │
902             │                           │ lia128-cts-cmac             │
903             └───────────────────────────┴─────────────────────────────┘
904
905       The string DEFAULT can be used to refer to the default set of types for
906       the variable in question.  Types or families can be  removed  from  the
907       current list by prefixing them with a minus sign ("-").  Types or fami‐
908       lies can be prefixed with a plus sign ("+") for symmetry;  it  has  the
909       same meaning as just listing the type or family.  For example, "DEFAULT
910       -des" would be the default set  of  encryption  types  with  DES  types
911       removed,  and  "des3  DEFAULT"  would  be the default set of encryption
912       types with triple DES types moved to the front.
913
914       While aes128-cts and aes256-cts are supported for all  Kerberos  opera‐
915       tions, they are not supported by very old versions of our GSSAPI imple‐
916       mentation (krb5-1.3.1 and earlier).  Services running versions of  krb5
917       without AES support must not be given keys of these encryption types in
918       the KDC database.
919
920       The aes128-sha2 and aes256-sha2 encryption types  are  new  in  release
921       1.15.   Services  running  versions  of  krb5 without support for these
922       newer encryption types must not be given keys of these encryption types
923       in the KDC database.
924

KEYSALT LISTS

926       Kerberos  keys  for users are usually derived from passwords.  Kerberos
927       commands and configuration parameters that affect  generation  of  keys
928       take  lists  of  enctype-salttype  ("keysalt")  pairs, known as keysalt
929       lists.  Each keysalt pair is an enctype name  followed  by  a  salttype
930       name, in the format enc:salt.  Individual keysalt list members are sep‐
931       arated by comma (",") characters or space characters.  For example:
932
933          kadmin -e aes256-cts:normal,aes128-cts:normal
934
935       would start up kadmin so  that  by  default  it  would  generate  pass‐
936       word-derived  keys  for the aes256-cts and aes128-cts encryption types,
937       using a normal salt.
938
939       To ensure that people who happen to pick the same password do not  have
940       the  same  key,  Kerberos  5 incorporates more information into the key
941       using something called a salt.  The supported salt types  are  as  fol‐
942       lows:
943
944                      ┌──────────┬────────────────────────────┐
945                      │normal    │ default  for Kerberos Ver‐ │
946                      │          │ sion 5                     │
947                      ├──────────┼────────────────────────────┤
948                      │v4        │ the only type used by Ker‐ │
949                      │          │ beros Version 4 (no salt)  │
950                      ├──────────┼────────────────────────────┤
951                      │norealm   │ same as the default, with‐ │
952                      │          │ out using  realm  informa‐ │
953                      │          │ tion                       │
954                      ├──────────┼────────────────────────────┤
955                      │onlyrealm │ uses  only  realm informa‐ │
956                      │          │ tion as the salt           │
957                      ├──────────┼────────────────────────────┤
958                      │afs3      │ AFS version 3,  only  used │
959                      │          │ for   compatibility   with │
960                      │          │ Kerberos 4 in AFS          │
961                      ├──────────┼────────────────────────────┤
962                      │special   │ generate a random salt     │
963                      └──────────┴────────────────────────────┘
964

SAMPLE KDC.CONF FILE

966       Here's an example of a kdc.conf file:
967
968          [kdcdefaults]
969              kdc_listen = 88
970              kdc_tcp_listen = 88
971          [realms]
972              ATHENA.MIT.EDU = {
973                  kadmind_port = 749
974                  max_life = 12h 0m 0s
975                  max_renewable_life = 7d 0h 0m 0s
976                  master_key_type = aes256-cts-hmac-sha1-96
977                  supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
978                  database_module = openldap_ldapconf
979              }
980
981          [logging]
982              kdc = FILE:/usr/local/var/krb5kdc/kdc.log
983              admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
984
985          [dbdefaults]
986              ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
987
988          [dbmodules]
989              openldap_ldapconf = {
990                  db_library = kldap
991                  disable_last_success = true
992                  ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
993                      # this object needs to have read rights on
994                      # the realm container and principal subtrees
995                  ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
996                      # this object needs to have read and write rights on
997                      # the realm container and principal subtrees
998                  ldap_service_password_file = /etc/kerberos/service.keyfile
999                  ldap_servers = ldaps://kerberos.mit.edu
1000                  ldap_conns_per_server = 5
1001              }
1002

FILES

1004       /var/kerberos/krb5kdc/kdc.conf
1005

SEE ALSO

1007       krb5.conf(5), krb5kdc(8), kadm5.acl(5)
1008

AUTHOR

1010       MIT
1011
1013       1985-2019, MIT
1014
1015
1016
1017
10181.17                                                               KDC.CONF(5)
Impressum